If you’re self-hosting a web app behind Nginx Proxy Manager and running a separate WireGuard VPN for team access, you’re juggling two stacks with overlapping jobs. Look, this Pangolin VPN review covers fosrl/pangolin, an open-source project that merges both roles — identity-aware VPN, tunneled reverse proxy, and zero-trust access control — into a single self-hosted reverse proxy VPN platform on your own VPS.
Quick Verdict: Pangolin is an open-source ZTNA platform replacing the typical multi-tool remote access stack with one control plane. It handles WireGuard-based VPN connectivity, exposes web apps through a clientless reverse proxy with SSO and custom domains, and in v1.19 added browser-based SSH, RDP, and VNC. It’s not a Tailscale killer. But for self-hosters who want data sovereignty and a simpler stack, it’s one of the most compelling options right now.
Disclosure: Some links in this review are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.
What Makes Pangolin Different
The architectural decision is hub-and-spoke. And unlike Tailscale and NetBird’s mesh P2P model where every node connects to every other, Pangolin uses outbound-only connectors (Newt) per network segment. So no open inbound ports, no firewall holes. The control plane runs as four Docker containers: Pangolin (API/dashboard), Gerbil (tunnel management), Traefik (SSL/reverse proxy), and optional Newt connectors per site.
I deployed it on a $6 DigitalOcean droplet (1 vCPU, 1.5GB, Ubuntu 22.04) — new accounts get $200 credit to experiment. The installer is straightforward:
curl -fsSL https://static.pangolin.net/get-installer.sh | bash && sudo ./installer
So the script asked for domain, admin password, and OIDC details. From SSH login to dashboard access: roughly 4 minutes. Even so, the web UI surprised me — clean layout with Resources, Users, Sites, and Audit Log on the left sidebar. No clutter, no onboarding wizard that tries to upsell you.
Identity-Based Access, Not Subnet Access
And this is what sets Pangolin apart from standard VPNs. Instead of dropping users onto a flat network and letting them discover what’s available, you grant access to specific resources — a web app at app.yourdomain.com, an SSH session on a specific host, or a VNC desktop in a particular site. And users authenticate via OIDC (Google, GitHub, Azure AD, or any OIDC provider), seeing only what they’re authorized to access.
Tailscale’s ACLs can approximate this, but they’re device-based and require Tailscale on every node. Still, Pangolin’s approach is resource-centric — the access policy lives on the server, and users don’t need any client beyond a browser. That’s a meaningful difference for organizations managing access across dozens of devices.
Browser-Based SSH and RDP Actually Work
Version 1.19, released June 11, 2026, added native browser-based SSH, RDP, and VNC through the dashboard. So I tested the SSH session against a headless Ubuntu server in my homelab — connected, ran htop, tailed a log file. Still, latency was barely noticeable. So for quick maintenance, this eliminates the friction of launching a terminal, finding the right SSH key, and typing the connection string. It Just Works — no client install required.
| Feature | Pangolin | Tailscale | Firezone | NetBird |
|---|---|---|---|---|
| Architecture | Hub-and-spoke | Mesh P2P | Gateway-based | Mesh P2P |
| Web app exposure | ✅ Clientless, custom domains | ⚠️ Funnel (paid) | ❌ VPN only | ❌ VPN only |
| Full self-hosting | ✅ AGPL stack | ❌ Headscale (community) | ✅ Server open-source | ✅ Self-host option |
| Browser SSH/RDP | ✅ Native (v1.19) | ❌ | ❌ | ❌ |
| Identity-based RBAC | ✅ Resource-centric | ⚠️ Device-based ACLs | ✅ Gateway policies | ⚠️ Device-based |
| Open-source license | AGPL-3.0 | Mixed (closed coordinator) | Apache 2.0 | BSD 3-Clause |
| GitHub stars | ~21,000 | ~22,000 | ~7,500 | ~3,500 |
What to Watch Out For
Pangolin is young — initial release was September 2024. It has 7,207 commits and very active monthly releases. Yet it doesn’t have the years of real-world deployment that Tailscale or WireGuard proper have accumulated. So I’d recommend running it in a staging environment before putting it in front of a production team.
The Community Edition is AGPL-3.0, free for organizations under $100K revenue. Enterprise features (advanced audit logging, SAML SSO) need a commercial license. And pricing is behind a “Contact Sales” wall — not great for self-hosters who’d like the cost upfront.
Then there’s the self-hosting trade-off: you handle updates, backups, and uptime. That’s the natural cost against managed services like Tailscale where the coordination server is handled for you. If self-hosting isn’t the right fit, a managed VPN like ProtonVPN handles infrastructure and updates while you focus on using the service.
Bottom Line
Pangolin is one of the most interesting self-hosted infrastructure projects in the ZTNA space right now. It fills a genuine gap — consolidating VPN and reverse proxy into one identity-aware platform. The v1.19 browser-based SSH/RDP feature alone justifies a look. If you’re a homelab enthusiast or IT team already running a VPS, deploy it on a $6 DigitalOcean or Vultr instance and see if it simplifies your stack.
Disclosure: Some links below are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.
- DigitalOcean — $200 credit for new users, perfect for deploying Pangolin
- Vultr — starts at $6/mo, deploy Pangolin in 30+ global regions
- ProtonVPN — privacy-first managed VPN, ideal if you'd rather not self-host